[Snort-sigs] Mac OSX Ransomware

Paul Bottomley Paul.Bottomley at ...3813...
Thu Jul 18 06:20:58 EDT 2013


Probably not the best written rule given the amount of matches on the regex and I'm sure there are loads of ways to write this rule (see source on pastebin link), so if anyone wants to better this feel free :)


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"[DELIVERY] Mac OSX Ransomware Excessive iframes"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; fast_pattern; pcre:"/(?:<iframe\s+src=.*){150}/";............)


In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130718/2279c6bb/attachment.html>

More information about the Snort-sigs mailing list